Active Directory Certificate Services (AD CS) is increasingly exploited by ransomware groups and state-sponsored actors for privilege escalation and persistence. This deep-dive covers the five-phase AD CS attack lifecycle, focusing on certificate template misconfigurations (ESC1 and related techniques) and shadow credential abuse via the msDS-KeyCredentialLink attribute. The attacker toolkit — including Certipy, Certify, Whisker, and pyWhisker — is analyzed in detail. Detection strategies go beyond signatures, covering Windows Event IDs (4886, 4887, 4898, 5136, 4768/4769), LDAP activity monitoring, and behavioral analytics. A comprehensive table of Cortex XDR/XSIAM alerts mapped to MITRE ATT&CK techniques is provided for defenders.
Table of contents
Executive SummaryIntroduction: The Critical Role (and Risk) of AD CSOngoing Exploitation and Blind SpotsPhase Breakdown: How AD CS Attacks WorkDeep Dive: Key AD CS Attack TechniquesThe Attacker Toolkit for AD CS ExploitationConclusionAdditional ResourcesAppendix A: Detection Strategies: Beyond SignaturesAppendix B: Cortex XDR/XSIAM Alerts on AD CS ActivitySort: